Holding Back Salt Typhoon + Other Chinese APT CVEs

Over the past several years, US Federal Agencies and private sector companies have observed China-based threat actors targeting network and telecommunication critical infrastructure. A wave of recent reports have disclosed that these attacks have succeeded in compromising government and industry targets to a far greater extent than previously thought. As a result, CISA has issued new guidance for telecommunications companies to secure their infrastructure, and the U.S. Federal Communications Commission (FCC) has drafted new, stricter cybersecurity regulations to require telcos to “secure their networks against unlawful access and interception.”

Introduction to Malware Binary Triage (IMBT) Course

Looking to level up your skills? Get 10% off using coupon code: MWNEWS10 for any flavor.

Enroll Now and Save 10%: Coupon Code MWNEWS10

Note: Affiliate link – your enrollment helps support this platform at no extra cost to you.

The threat activity by these groups goes back at least half a decade. As far back as 2020 the following threat actor groups, including Salt Typhoon, have been observed, with solid evidence of operations based in China that are state-sponsored:

Salt Typhoon

Leveraging malware such as GhostSpider, SnappyBee, and Masol RAT

Volt Typhoon

Responsible for the KV Botnet

Flax Typhoon

Responsible for the Raptor Train Botnet

Velvet Ant

AKA China-Nexus group

Personal Panda leveraging malware such as Winnti-T, Asnarok, and Pygmy Goat

These campaigns have leveraged a wide variety of vulnerabilities and sophisticated tools, including 0-day vulnerabilities. The TTPs (Tactics, Techniques, and Procedures) have also leveraged commodity tools (such as Mirai botnet code) as well as more sophisticated malware with capabilities such as firmware backdoors and UEFI implants

Known Exploited Vulnerabilities in the Network Device Supply Chain

A key element of this unfolding story is that most of the CVEs exploited by these attackers are listed in CISA’s Known Exploited Vulnerabilities catalog, and some were also listed in the top 42 most routinely exploited vulnerabilities of 2023, also published by CISA. Furthermore, many of the vulnerabilities exist inside network devices, and even security devices that the targeted organizations purchase from vendors they trust to provide secure equipment. The supply chain of network infrastructure devices is far less secure than it should be. 

End user workstations and endpoints are subjected to a huge battery of cybersecurity requirements, tests, scans, and regulations. In contrast, network devices like routers, switches, and even firewalls from vendors like Cisco, Sophos, Palo Alto, and more are assumed to be secure. The Salt Typhoon attacks and other PRC-sponsored adversaries show that security teams must update their assumptions and treat network devices as insecure until proven otherwise. Verifying the integrity of these devices before connecting them to critical infrastructure networks, and monitoring them continuously for updates, especially in firmware, is a crucial step in protecting critical telecommunications infrastructure against advanced adversaries.

Salt Typhoon, Flax Typhoon, and More APT Tactics Detected by Eclypsium

The Eclypsium team has been tracking this activity and developing detections for vulnerabilities and IoCs (Indicators of Compromise) across several platforms. We are constantly adding new detections to assure our customers get broad coverage of the TTPs used by these threat groups. Below is a sampling of CVEs related to Salt Typhoon, Flax Typhoon, Pacific Rim, Velvet Ant, and other Chinese APTs that can be detected by the Eclypsium platform.

This list is continuously growing as new detections are added to the Eclypsium platform. Eclypsium customers can contact their account representative for the most up-to-date list of vulnerabilities and IOCs detected by Eclypsium.

CVE IdentifierVulnerability DescriptionAssociated Threat Groups & Campaigns
CVE-2019-11510Pulse Connect Secure VPN vulnerabilitySodinokibi
CVE-2019-19781Citrix ADC and Gateway vulnerabilitySodinokibi/REvil
CVE-2024-20399Cisco NX-OS vulnerabilityVelvet Ant
CVE-2022-1388F5 BIG-IP vulnerabilityFlax Typhoon, Velvet Ant
CVE-2021-1497Cisco HyperFlex HX vulnerabilityChinese state-sponsored actors
CVE-2020-12271Sophos XG Firewall vulnerabilityPacific Rim
CVE-2020-15069Sophos Firewall vulnerabilityPacific Rim
CVE-2020-29574Sophos Firewall vulnerabilityPacific Rim
CVE-2022-1040Sophos Firewall vulnerabilityPacific Rim
CVE-2022-3236Sophos Firewall vulnerabilitySalt Typhoon, Pacific Rim
CVE-2023-46805Ivanti Connect Secure VPN vulnerabilitySalt Typhoon, Volt Typhoon
CVE-2024-21887Ivanti Connect Secure VPN vulnerabilitySalt Typhoon, Volt Typhoon
CVE-2024-21888Ivanti Connect Secure VPN vulnerabilityVolt Typhoon
CVE-2024-21893Ivanti Connect Secure VPN vulnerabilityVolt Typhoon
CVE-2022-42475FortiOS SSL-VPN vulnerabilityVolt Typhoon
CVE-2021-44228Log4jFlax Typhoon
CVE-2023-3519Citrix Netscaler – Unauthenticated Remote Code Execution (RCE) vulnerabilityFlax Typhoon
No CVERaptor Train BotnetFlax Typhoon

Detecting Vulnerabilities is Only The Beginning

Detecting vulnerabilities is important, but preventing and protecting against attacker persistence and future intrusion is also critical. Eclypsium is able to verify the integrity of hardware, software, and firmware components in user endpoints and network devices. This reduces the necessity of trusting vendors, and enables telecommunications organizations to verify that their supply chain of network devices and software is not introducing new vulnerabilities into the environment that are subsequently targeted by adversaries. If you’re interested in getting a demonstration of how we can help you mitigate your risk from these APT tactics, please get in touch with us.

Further Reading

The post Holding Back Salt Typhoon + Other Chinese APT CVEs appeared first on Eclypsium | Supply Chain Security for the Modern Enterprise.

Article Link: Detecting and Mitigating Salt Typhoon and Other Chinese APTs - Eclypsium | Supply Chain Security for the Modern Enterprise